Your Sensitive Information Was Accessed in a Government Hack? You May Have No Remedy.

In a statement issued on Wednesday, September 20th, the U.S. Securities and Exchange Commission (SEC) revealed that it was investigating a 2016 data breach of its Electronic Data Gathering, Analysis, and Retrieval (EDGAR) database. The SEC does not believe that personally identifiable information was exposed, but the investigation is still ongoing and raises questions regarding government agencies’ obligations to protect sensitive information, and the potential litigation challenges facing individuals who are impacted by hacks of government agencies.

Federal agencies are obligated to protect personal information they collect under the Federal Information Security Management Act (FISMA) of 2006, the Privacy Act of 1974, and policies and guidance from the Office of Management and Budget on the implementation of these Acts. FISMA requires federal agencies to use measures that are “commensurate with the risk and magnitude of the harm” that could result from a breach, and the Privacy Act of 1974 requires agencies to “establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.” However, it appears that lack of compliance with these laws and policies has made federal agencies vulnerable to cyberattacks.

In general, remedies for victims of these cyberattacks may be limited because the federal government is protected by sovereign immunity and may not be sued unless it has waived its immunity or consented to suit. FISMA does not contain a private right of action and therefore has not waived its sovereign immunity under the statute; however, the government has waived its sovereign immunity under other relevant statutes, such as the Administrative Procedures Act, which can provide a potential avenue for bringing suit. On the other hand, there is a private right of action under the Privacy Act, but this waiver of sovereign immunity only applies if a plaintiff can show that (1) the agency disclosed the information improperly, willfully and intentionally, and (2) the disclosure has caused actual damages.

In 2015, U.S. taxpayers brought a class action suit against the IRS after a data breach claiming the agency had violated the Privacy Act because it had acted negligently in failing to adequately protect the taxpayers’ personal information. The U.S. District Court for the District of Columbia dismissed the claim, indicating that Congress had explicitly waived the agency’s sovereign immunity only in situations where the agency had willfully disclosed personal information.

U.S. District Court for the District of Columbia dismissed another class action involving a breach at the Office of Public Management (OPM) in 2015 that affected 21.5 million people because the plaintiffs failed to establish that the government had waived its sovereign immunity, a protection which also applied to the government contractor KeyPoint. The court also found that the agency’s negligent acts did not qualify as “intentional or willful,” and added that the information had been stolen, not disclosed.

Even if plaintiffs can overcome a sovereign immunity defense, they would still have to prove that they have Article III standing. Under the Supreme Court’s Spokeo decision, “Article III standing requires a concrete injury even in the context of a statutory violation.” Although courts have varied in their interpretation of Spokeo and in their determination of what is required to satisfy the concreteness requirement, it is clear that plaintiffs must allege more than “a bare procedural violation.” For example, a recent D.C. district court decision found that standing required showing actual economic losses. The court held that out-of-pocket expenses related to actual identity theft could satisfy this standard, but fees paid to purchase credit monitoring and time spent attempting to rectify fraudulent transactions did not.

In short, while federal agencies have a duty to safeguard personal information, this duty has thus far appeared to be largely unenforceable in practice. In a recent article on the SEC hack, Avi Gesser raises the question of whether the day will come when individuals and companies simply refuse to provide their most sensitive information to government agencies without first receiving some reasonable assurance that their information will be protected by these agencies.

Topics

Archives

Subscribe by Email

RELATED PROFESSIONALS

Mr. Gesser is a partner in Davis Polk’s Litigation Department. He represents clients in a wide range of cybersecurity issues, including compliance with various cybersecurity regulations, cybersecurity governance issues, cloud migration, data minimization, and cybersecurity risk disclosures. Mr. Gesser also counsels companies who have experienced cyber events by coordinating with experts to conduct investigations; communicating with regulators, law enforcement, insurers and auditors; assessing various federal, state and international regulatory disclosure obligations; and representing the companies in related civil litigation and regulatory investigations. He previously served as the Counsel to the Chief of the Justice Department, Criminal Division’s Fraud Section and as the Deputy Director of the Justice Department, Criminal Division’s Deepwater Horizon Task Force. In addition to his full-time practice, Mr. Gesser is a frequent writer and commentator on cybersecurity issues.

Mr. Leibowitz is a partner in Davis Polk’s Washington DC and New York offices. His practice focuses on the complex antitrust aspects of mergers and acquisitions as well as government and private antitrust investigations and litigation. He also provides counsel in the developing areas of consumer protection and privacy law as well as advocacy involving Congress.

Mr. MacBride is co-chair of the firm’s White Collar Criminal Defense and Government Investigations Group. His practice focuses on government enforcement actions, internal investigations, congressional investigations, and complex civil litigation. His matters have included advising clients in connection with foreign corrupt practices, economic sanctions, cybersecurity risks, False Claims Act violations, market manipulation, insider trading, and securities, health care, procurement and tax fraud. His wide-ranging investigations and trial experience span more than two decades and across all three branches of the government, most recently as the U.S. Attorney for the Eastern District of Virginia.

Mr. Perez-Marques is a partner in Davis Polk’s Litigation Department. His practice spans complex commercial litigation, including securities and M&A-related litigation, as well as securities enforcement and white collar matters. He also has extensive experience advising Spanish, Latin American and other foreign clients concerning U.S. litigation matters, and domestic clients concerning overseas and cross-border disputes.

Ms. Seshens is a partner in Davis Polk’s Litigation Department. Her practice focuses on complex commercial litigation, securities class actions, and bankruptcy litigation. She has extensive experience representing corporate clients and professional firms with respect to a wide range of civil litigation and advisory matters.

Ms. Gross is counsel in Davis Polk’s Intellectual Property and Technology Department in the Northern California office. Her practice includes a wide range of intellectual property-related matters, including strategic alliances, joint ventures and licensing, as well as intellectual property strategy and commercialization, copyright, patent and trademark matters. She also advises clients on data privacy and security matters, including cybersecurity, technology and data initiatives, development of privacy and data security policies and product development.

Disclaimer

cyberbreachcenter.com is a collection of informational products provided by Davis Polk & Wardwell LLP. In its capacity as provider of cyberbreachcenter.com and its component parts, Davis Polk is acting as an information provider.

cyberbreachcenter.com and its component parts do not constitute, and are not intended to constitute, legal advice with respect to any particular circumstance, do not create an attorney-client relationship with Davis Polk & Wardwell LLP or any of its associated entities and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances.

About Davis Polk

Davis Polk ranks among the world’s preeminent law firms. Known for our skillful work, the excellence and breadth of our practice has kept us at the forefront of matters that are shaping global business. Read More